PT-2026-53116 · Pypi · Praisonai

Published

2026-06-18

·

Updated

2026-06-18

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal

Summary

PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing:
  • artifact storage for tool outputs, history, and terminal logs;
  • history persistence with search; and
  • terminal session logging.
The module also exports agent-callable tool factories:
  • create history tools() returns history search, history tail, and history get.
  • create terminal tools() returns terminal tail, terminal grep, and terminal commands.
Those tools accept run id and agent id arguments from the tool caller. The underlying stores join those values into filesystem paths without rejecting absolute paths or .. traversal:
python
history dir = self.base dir / run id / "history"
return history dir / f"{agent id}.jsonl"
python
terminal dir = self.base dir / run id / "terminal"
return terminal dir / f"{agent id}.log"
Because run id can be an absolute path and agent id can contain traversal, a lower-trust prompt/user that can call these tools can read .jsonl and .log files outside the configured Dynamic Context base directory.

Affected Product

  • Repository: MervinPraison/PraisonAI
  • Ecosystem: pip
  • Package: praisonai
  • Component: Dynamic Context history and terminal tools
  • Current source paths:
  • src/praisonai/praisonai/context/history store.py
  • src/praisonai/praisonai/context/terminal logger.py
  • Latest PyPI version validated: 4.6.58
  • Current origin/main validated: 1ad58ca02975ff1398efeda694ea2ab78f20cf3e
  • Current origin/main tag validated: v4.6.58
Suggested affected range:
text
pip:praisonai >= 3.8.1, <= 4.6.58
Representative local sweep:
  • 3.8.1: vulnerable
  • 4.0.0: vulnerable
  • 4.5.113: vulnerable
  • 4.6.33: vulnerable
  • 4.6.34: vulnerable
  • 4.6.40: vulnerable
  • 4.6.50: vulnerable
  • 4.6.58: vulnerable

Root Cause

HistoryStore. get history path() and TerminalLogger. get log path() treat logical identifiers as path segments, but never validate that the resolved path stays under base dir.
History path construction:
python
def get history path(self, run id: str, agent id: str) -> Path:
  history dir = self.base dir / run id / "history"
  history dir.mkdir(parents=True, exist ok=True)
  return history dir / f"{agent id}.jsonl"
Terminal path construction:
python
def get log path(self, run id: str, agent id: str) -> Path:
  terminal dir = self.base dir / run id / "terminal"
  terminal dir.mkdir(parents=True, exist ok=True)
  return terminal dir / f"{agent id}.log"
The agent tools pass caller-controlled run id and agent id directly into these helpers:
python
def history tail(agent id: str = "default", run id: str = "default", count: int = 10) -> str:
  messages = history store.get last messages(agent id=agent id, run id=run id, count=count)
python
def terminal tail(agent id: str = "default", run id: str = "default", lines: int = 50) -> str:
  return term logger.tail session(agent id=agent id, run id=run id, lines=lines)
There is no check equivalent to:
python
resolved = candidate.resolve()
base = self.base dir.resolve()
resolved.relative to(base)
There is also no identifier allowlist preventing /, ``, or .. in run id or agent id.

Local PoV

Run against the latest PyPI package:
bash
uv run --with 'praisonai==4.6.58' 
 python poc/pov prai cand 027 history terminal tools path traversal.py --json
The PoV:
  1. Creates a temporary Dynamic Context base directory.
  2. Creates a separate outside directory containing secret.jsonl and secret.log.
  3. Creates legitimate in-base history and terminal log controls.
  4. Calls history tail() and history get() with run id=<outside-dir> and agent id=../secret.
  5. Calls terminal tail() and terminal grep() with the same traversal.
  6. Confirms the traversal paths resolve to files outside the configured base.
Observed output summary from evidence/pov-pypi-4.6.58.json:
json
{
 "package": "praisonai",
 "package version": "4.6.58",
 "controls": {
  "valid history read works": true,
  "valid terminal read works": true,
  "outside history file outside base dir": true,
  "outside terminal file outside base dir": true,
  "traversal history path resolves to outside file": true,
  "traversal terminal path resolves to outside file": true
 },
 "outside history tail": "Last 1 messages:

[system]: PRAI-CAND-027-HISTORY-SECRET",
 "outside terminal tail": "PRAI-CAND-027-TERMINAL-SECRET
second line
",
 "outside terminal grep": "Found 1 matches:

--- Line 1 ---
> PRAI-CAND-027-TERMINAL-SECRET
 second line",
 "vulnerable": true
}
The PoV is local-only. It does not start a server, contact a third-party target, or use real credentials.

Why This Is Not Intended Behavior

This report does not claim that history and terminal helpers should be unable to read legitimate history or terminal logs. The issue is narrower: logical run id and agent id values can escape the configured Dynamic Context base directory.
The controls show the intended boundary:
  • legitimate in-base history remains readable;
  • legitimate in-base terminal logs remain readable;
  • the outside .jsonl and .log files are not under the configured base dir; and
  • the tools still disclose those outside files through traversal identifiers.
The official context reference describes history persistence and terminal logging as filesystem-backed Dynamic Context features. The context security documentation also treats absolute paths, path traversal, and sensitive files as privacy/security risks. Reading files outside the configured context store conflicts with that documented boundary.

Impact

If a PraisonAI application exposes these Dynamic Context tools to untrusted or lower-trust prompts, the lower-trust caller can read files outside the configured context storage when the target file can be reached with the tool-imposed suffix:
  • history * tools can disclose reachable .jsonl files;
  • terminal * tools can disclose reachable .log files; and
  • cross-run or cross-agent context/history/logs can be disclosed if their path is known or guessable.
This can expose conversation history, prompts, terminal output, command logs, tokens, API keys, cloud credentials, operational data, or other secrets stored in JSONL/log files readable by the PraisonAI process.
The impact is confidentiality-only in the tested surface. Integrity and availability are not claimed for this report.

Severity

Suggested severity: High.
Rationale:
  • AV: applies when an application exposes an agent with these tools over a network chat/API surface.
  • AC: the traversal needs only chosen run id and agent id values.
  • PR: an unauthenticated or public-facing agent endpoint can be exploited without an account. Deployments that require authenticated chat/API access may score this as PR:L.
  • UI: the attacker directly supplies the prompt/tool argument to the exposed agent surface.
  • C: conversation history and terminal logs can contain secrets and private operational data.
  • I:N/A: this report demonstrates read-only disclosure.

Remediation

Treat run id and agent id as logical identifiers, not path components.
Recommended fixes:
  1. Reject absolute paths, path separators, and traversal components in run id and agent id.
  2. Build candidate paths, call .resolve(), and reject any path that is not under self.base dir.resolve().
  3. Apply the same containment helper to history append/read/search/clear/export and terminal log/read/search/clear/export paths.
  4. Prefer opaque server-generated run and agent IDs in tool schemas.
  5. Add regression tests for absolute run id, ../ in run id, and ../ in agent id for history and terminal tool factories.
Minimal containment shape:
python
def safe child(self, *parts: str) -> Path:
  candidate = self.base dir.joinpath(*parts).resolve()
  base = self.base dir.resolve()
  try:
    candidate.relative to(base)
  except ValueError as exc:
    raise PermissionError("Context path is outside configured base dir") from exc
  return candidate
Pair this with an identifier allowlist, because run id and agent id should not need filesystem syntax.

Fix

Information Disclosure

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-22CJ-M4WF-FV2C

Affected Products

Praisonai